Saturday, 27 April 2013

The news of BBC on 26 April 2013 makes me happy that the biggest DDoS attack in the world history of the internet is finally solved. I give high appreciation to the Dutch police for their hard effort of investigation to solve the case. It's great investigation as it is solved in around 2 weeks. Very Good Job...!

BBC:
Spanish police have arrested a Dutchman suspected of being behind one of the biggest ever web attacks.
The 35 year-old-man was detained in Barcelona following a request from the Dutch public prosecutor.
The attack bombarded the websites of anti-junk mail outfit Spamhaus with huge amounts of data in an attempt to knock them offline.
It also slowed data flows over closely linked networks and led to a massive police investigation.
The man arrested is believed to be Sven Kamphuis, the owner and manager of Dutch hosting firm Cyberbunker that has been implicated in the attack.

"Spamhaus is delighted at the news that an individual has been arrested and is grateful to the Dutch police for the resources they have made available and the way they have worked with us," said a Spamhaus spokesman.
He added: "Spamhaus remains concerned about the way network resources are being exploited as they were in this incident due to the failure of network providers to implement best practice in security."
Spamhaus servers were hit with a huge amount of data via an attack technique known as a Distributed Denial of Service (DDoS) attack. This attempts to overwhelm a web server by sending it many more requests for data than it can handle.
A typical DDoS attack employs about 50 gigabits of data every second (gbps). At its peak the attack on Spamhaus hit 300 gbps.

For complete news, please go to the source below:
http://www.bbc.co.uk/news/technology-22314938

Friday, 26 April 2013

Several days ago, the ADFA (Association of Digital Forensic Analyst) was established as an interactive group at LinkedIn. This Association is intended as an international portal for encouraging digital forensic analyst from law enforcement agencies, private companies, universities, freelancers, and so on all over the world to share one another on digital forensic and its related other issues. It is expected that the members could update such information. Any problems related to the issues are welcomed to share, and then other members are pleased to give solution for the problem. To those who is interested in it, please go to the link below and become a member of the Association.

I just want to share "Mobile Forensic Materials" which I presented at
2013 HADFEx (Hacking And Digital Forensic Expose) conference conducted
at the University of Islamic Indonesia, in Yogyakarta - Indonesia on 13
April 2013. The file is pdf which is compiled from presentation slides,
and comprises 24 pages. Please get the link below:http://db.tt/LHe46c50

SOP 2 about Working Hours Commitment

One type of evidence that can be found at the scene, both in civil and criminal cases is evidence of electronic / digital such as the personal computer (PC), laptops / notebooks, netbooks, tablet PCs, mobile phones, flash disks, memory cards, voice recordings, video recordings, digital image and others. Electronic evidence has a significant position in the disclosure of a case due to storing digital data that can be used to explain the history and reconstruction of the case. Therefore, the examination of electronic evidence should be based on SOP 8 to 15 that refers to the international guidelines issued by the Association of Chief Police Officers (ACPO) and 7Safe in the UK and by the National Institute of Justice under the Department of Justice , the US, so the results are as expected and can be justified scientifically and legal.

SOP 8 to 15 requires a working reference that describes the time range needed for technical implementation. This is necessary so that the digital forensic examination of the evidence in electronic / digital can be run efficiently and effectively, so that the results can be more powerful for investigators who need speed of test results to determine further investigations. With the time range that is required to be described technically, the examiner can determine how long it will be used in solving one type of digital forensic examination procedurally.

For that reason, the SOP 2 is described about the time range required for each type of examination is called the 'Working Hours Commitment'. This working hours commitment describes in more detail about the time range on each type of examination generally which consists of 5 (five) stages, namely the acceptance phase, acquisition, analysis, reporting and submitting evidence. With the detailed steps, it can be a technical guide for digital forensic examiners in the start up to the end of examination in accordance with the procedures expected. Nevertheless the time range is predictive and flexibly adapted to the complexity of the case.

2. Purpose

For the orderly administration and technical in conducting digital forensic examinations such as the described in SOP 8 to 15 with a description of the time range (hours of work commitments)
required for each examination, in which the working hours commitment is based on the assumption
that 7 working hours within 1 working day.

3. Scope

The scope of this SOP are as follows:
3.1. Working Hours for examination and analysis on Harddisk
3.2. Working Hours for examination and analysis on Handphone
3.3. Working Hours for examination and analysis on Simcard
3.4. Working Hours for examination and analysis on Flashdisk/Memory Card
3.5. Working Hours for examination and analysis on Triage Forensic
3.6. Working Hours for examination and analysis on Audio Forensic
3.7. Working Hours for examination and analysis on Video Forensic
3.8. Working Hours for examination and analysis on Digital Image Forensic
3.9. Working Hours for examination and analysis on Network Forensic

The following working hours commitment do not include the number of hours used for clarification of data / digital findings with investigators because it often takes a long time and can not be predicted exactly, adjusting to the bustle of the investigation team. This SOP only discusses about working hours for technical examination and analysis of digital forensics Computer at Computer Forensic Sub-Department environment.

6.1. Working Hours for examination and analysis on Harddisk

Number of working hours commitment for the examination and analysis on 1 unit of hard disk is about 38 working hours (about 6 working days) with the details are as follows:

Number of working hours commitment for the examination and analysis on 1 unit of PC computer/laptop (ON and OFF) at the scene is about 9 working hours (about 2 working days) with the details are as follows:

Saturday, 20 April 2013

Again, the phylosophy of "no system is perfect" is proved, including routers used for home and small office. Router is a basic knowledge and device on networking. When it is compromised, it is dangerous for users using the netwoks. They would become victims of hacker's attack although their machine is already protected by the latest patch. I just imagine if it happens at a small network of government, it could cause a leakage of data which could be confidential.

From The SANS Institute:
--Study Says Home Routers Vulnerable to Attacks (April 17 & 18, 2013) Many widely used home routers are easy to hack into, according to a study by a company called Independent Security Evaluators. A test found 13 of the most popular home routers had easily remotely exploitable vulnerabilities that could be used to snoop on or modify network traffic. All of the routers tested were using the most recent firmware and were tested with their out-of-the box default configurations.

Those products were the Linksys WRT310v2, Netgear's WNDR4700, TP-Link's WR1043N, Verizon's FiOS Actiontec MI424WR-GEN3I, D-Link's DIR865L and Belkin's N300, N900 and F5D8236-4 v2 models.
Compromised routers are valuable to hackers, since they can intercept the traffic of anyone on that network. If the traffic is unencrypted, it can be viewed.
Man-in-the-middle attacks can let a hacker launch more sophisticated attacks on all users in the router's domain, ISE said. Hackers can perform attacks such as sniffing and rerouting non-SSL (Secure Sockets Layer) traffic, tampering with DNS (Domain Name System) settings and conducting distributed denial-of-service attacks.
The consultancy divided the attacks into those which required an attacker to be on the same network and those on networks that could be attacked remotely. Two routers from Belkin, the N300 and N900, were vulnerable to a remote attack that did not require the hacker to have authentication credentials.
All of the named products were vulnerable to an authenticated attack if the hacker was on the same network and had login credentials or access to a victim who had an active session on the particular network.

Saturday, 13 April 2013

Today, from morning till afternoon along with other computer professionals, we are attending HADFEX which is workshops and conference on hacking and digital forensic. It is conducted by University of Islamic Indonesia in Yogyakarta. Very good activities involve many computer professionals coming from different areas in Indonesia. This is to be a place where we can share one another about anything on forensic and hacking. As requested by the HADFEX committee, in this conference, I deliver topic about Mobile Forensic Investigation. I share about basic principles on mobile forensic, starting from physical and logical acquisition to forensic data mechanism. I hope such conference/workshops could continue regularly. Good job for the committee for their hard effort to succeed it.

SOP 1 about Digital Forensic Examination Procedure

One type of evidence that can be found at the scene, both in civil and criminal cases is electronic evidence such as personal computers (PCs), laptops / notebooks, netbooks, tablet PCs, mobile phones, flashdisk, memory cards etc.. Electronic evidence has a significant role in the disclosure of a case due to store digital data that can be used to explain the history and reconstruction of the case. Therefore, the examination of electronic evidence should be based on SOP 6 s / d 15, which refers to the international guidelines issued by the Association of Chief Police Officers (ACPO) and 7Safe in the UK and by the National Institute of Justice under the Department of Justice , the US, so the results are as expected and can be scientifically justified and legal.
In addition to the SOPs, digital forensic examination of the electronic evidence should also be implemented via SOP 2 governing work hours commitments for each examination including its phases in details. This is aimed to run the examination efficiently and effectively so that it can support to speed up efforts of inquiry/further investigation.
In order to obtain an integrated SOPs in the digital forensic examinations globally, it requires SOP 1 which describes procedures for a comprehensive examination of digital forensic starting from activities at the scene until laboratory analysis activities. Through this SOP 1, it is expected that digital forensic examiners and investigators are able to understand that the function of digital forensics can be started from the initial examination at the scene until further investigation which is more complex in the laboratory. Due to the initial handling of the evidence involves digital forensics function, then the procedural validity of the evidence and the integrity of the chain of custody (trip chain of evidence from the crime scene to the trial) can be justified scientifically. In addition, the speed to get the initial data for inquiry / investigation can be met because the implementation of SOP 1 in the initial examination of electronic evidence at crime scene can be done correctly.

2. Purpose

For the orderly administration and technical in handling electronic evidence in a comprehensive manner starting from the crime scene to the laboratory in order to support inquiry / investigation quickly and correctly.

It refers to ‘Good Practice Guide for Computer-Based Electronic Evidenc’ which is published by Association of Chief Police Officers (ACPO). They are:
6.1.1. Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
6.1.2. Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
6.1.3. Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
6.1.4. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

6.2. Triage Forensic

6.2.1. Examination procedure when the evidence is in OFF state
The phases below are comprehensively explained in details on SOP 6 about Triage Forensic:
- Checking
- Power off
- Labeling
- Documentation
- Submitting to the lab

6.2.2. Examination procedure when the evidence is in ON state
The phases below are comprehensively explained in details on SOP 6 about Triage Forensic, except for live acquisition:
- Checking
- Initial Data Extraction
- Live Acquisition, referring to SOP 7
- Power off
- Labeling
- Documentation
- Submitting to the lab

6.3. Further examination in the lab

6.3.1. Examination and Analysis on Harddisk, Flashdisk and Memory Card
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Analysis: SOP 9
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.2. Examination and Analysis on Handphone and Simcard
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 10
- Analysis: SOP 11
- Reporting: SOP 3
- Submitting evidence: SOP 5

Friday, 5 April 2013

On this occasion, I'd like to discuss about SOPs on Digital Forensic. As we know, digital forensic is a branch of computer specialization which grows up significantly at this time with high demands in computer market. All over the world, to find out a professional digital forensic analyst/investigator is not as easy as another computer fields, as their number in each country is not much, compared to another computer fields.

To be a good and professional digital forensic analyst/investigators, it needs good technical and academic background, as well as it is supported by good software and hardware. Besides that, it also requires good SOPs in order to guide steps of digital forensic examination/analysis to be done properly. Without good SOPs, the analyst/investigator could be wrong in their examination/analysis. They just rely on hardware/software like ordinary operator. When it hits the wall, they will give up. They becomes not creative to find out the best solution for their problem.

The SOPs are also designed for accountable examination/analysis. When the results are questionable, it can be re-examined/analyzed by third party of digital forensic analyst/investigator. With the same SOPs, the results should be the same. The SOPs are also established to show that the proper scientific steps are still better and more valuable than hardware/software. Hardware/software is just tools for the analyst/investigator. They must need it, but they should not put it on the most top sky like God. There is a good phylosophy followed by me and my team: "No system is perfect" and "No hardware/software is perfect". Each of them has their own strengths and weaknesses. That's why a digital forensic analyst/investigator should have many good hardware/software, then they can use it with a proper way to find out which one has the best results for the examination/analysis. The proper ways are the steps guided in SOPs.

A good SOPS should not contain or mention name of hardware/software. It just contain steps of examination/analysis. How to apply it by using hardware/software, it depends on the analyst/investigator to choose which hardware/software which can give the best results. The analyst/investigator plays role as a good chef who can choose which ingredients (without brand name) is the best in order to cook a meal with delicious taste. The ingredients here are hardware/software, and the SOPs are as recipe.

The SOPs above have already been implemented at my lab since 2 years ago. We are not rigid on adopting new techniques/methodologies for making our SOPs become better. Since implemented, the SOPs had already been reviewed three times, following the latest technology/methodology. The number of SOPs is most probably to increase. For instance, at this moment, we are in progress to make a new SOP about expert witness. Our SOPs are not confidential. They are based on scientific way and legal, that's why our SOPs are also used by several digital forensic labs of governments and companies in Indonesia. They adopt our SOPs to be implemented at their own labs.

Wednesday, 3 April 2013

Fron what I know, at this moment the forms of attack targetting banks or financial institutes are dominantly via trojan horses and DDoS. Several incidents show that the trojans are frequently used when the criminals want to obtain bank-related information as much as possible. The news below shows that the attackers want the victim cannot run their financial business properly, even the DDoS attack could be a cover for hiding or disguising any online bank frauds. I hope the bank's security team has already taken some hardening actions to anticipate these attacks.

From The SANS Institute:
Attacks on US Financial Institutions Continue (March 29 & 30, 2013) A group claiming responsibility for a recent distributed denial-of-service (DDoS) attack against the American Express website is the same one that has been targeting US financial institutions since September 2012. While the primary focus of the group's efforts appears to be crippling the banks' websites, there is concern that the attacks could provide a cover for fraudulent transactions. http://arstechnica.com/security/2013/03/funded-hacktivism-or-cyber-terrorists-amex-attackers-have-big-bankroll/http://www.usatoday.com/story/tech/2013/03/29/american-express-denial-of-service-hack/2030197/

About Me

I have been working for Indonesian Police Forensic Laboratory Centre (Puslabfor Bareskrim Polri) since 1997. My current job is the Chief of Computer Forensic Sub-Department. I have core duties to handle digital forensic investigation and analysis on electronic and digital evidence. I am the pioneer of developing computer forensic capabilities at Puslabfor Bareskrim Polri which was started in around 2000. Last year, in 2012 I and my team successfully investigated and analyzed 488 items of evidence which came from 81 cases of computer crime and computer-related crime.
In 2012 I wrote a book with the title "Digital Forensic: Practical Guidelines for Forensic Investigation". Its contents is mostly from knowledge and science I got from joining the MSc in Forensic Informatics at the University of Strathclyde, in the UK in 2008/2009 through the Chevening Scholarships. In 2010, the British Council in Indonesia gave me a prestigious award as one of "The Super Six UK Alumni".